This HIPAA Sub Business Associate Agreement ("Sub Agreement") is entered into by and between HR Simplified, Inc. ( Business Associate ) and [Vendor Name] on behalf of itself and its Affiliates ( Subcontractor ) (each a Party and collectively the Parties ). WHEREAS, Business Associate has entered into contracts with of certain covered entities (each such covered entity a Covered Entity, and collectively Covered Entities ) that require Business Associate to provide satisfactory assurances that Business Associate will appropriately safeguard all health information protected under the Privacy Rule and Security Rule (as defined below) that is disclosed by, or created or received by, Business Associate on behalf of such Covered Entities; and WHEREAS, Subcontractor provides certain services to Business Associate. THEREFORE, and in consideration for the mutual benefit provided to each Party under the Agreement, the Parties agree as follows: 1. DEFINITIONS 1.1 Unless otherwise specified in this Addendum, all capitalized terms used in this Addendum not otherwise defined in this Addendum or otherwise in the Agreement have the meanings established for purposes of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (collectively, HIPAA ) and ARRA, as each is amended from time to time. Capitalized terms used in this Addendum that are not otherwise defined in this Addendum and that are defined in the Agreement shall have the respective meanings assigned to them in the Agreement. To the extent a term is defined in both the Agreement and in this Addendum, HIPAA or ARRA, the definition in this Addendum, HIPAA or ARRA shall govern. 1.2 Affiliate, for purposes of this Addendum, shall mean any entity that is a controlled by or under common control with Subcontractor. For this purpose, control means the legal, beneficial, or equitable ownership, directly or indirectly, of fifty percent (50%) or more of the capital stock (or other ownership interest, if not a corporation) of such entity ordinarily having voting rights. Common Control means control of two or more entities by a common parent organization. 1.3 ARRA shall mean Subtitle D of the Health Information Technology for Economic and Clinical Health Act provisions of the American Recovery and Reinvestment Act of 2009, 42 U.S.C. 17921-17954, and any and all references in this Addendum to sections of ARRA shall be deemed to include all associated existing and future implementing regulations, when and as each is effective. 1.4 Electronic Protected Health Information ( ephi ) shall mean PHI as defined in Section 1.7 that is transmitted or maintained in electronic media. 1.5 PHI shall mean Protected Health Information, as defined in 45 C.F.R. 160.103, and is limited to the Protected Health Information received from, or received or created on behalf of, Covered Entity by Business Associate or Subcontractor pursuant to performance of the Services. 1.6 Privacy Rule shall mean the federal privacy regulations issued pursuant to the Health Insurance Portability and Accountability Act of 1996, as amended from time to time, codified at 45 C.F.R. Parts 160 and 164 (Subparts A & E).
1.7 Security Rule shall mean the federal security regulations issued pursuant to the Health Insurance Portability and Accountability Act of 1996, as amended from time to time, codified at 45 C.F.R. Parts 160 and 164 (Subparts A & C). 1.8 Services shall mean, to the extent and only to the extent they involve the creation, use or disclosure of PHI, the services provided by Subcontractor to Business Associate under the Agreement. 2. RESPONSIBILITIES OF SUBCONTRACTOR With regard to its use and/or disclosure of PHI, Subcontractor agrees to: 2.1 use and/or disclose PHI only as necessary to provide the Services, as permitted or required by this Addendum, or as otherwise Required by Law. 2.2 implement and use appropriate administrative, physical and technical safeguards to (i) prevent use or disclosure of PHI other than as permitted or required by this Addendum; (ii) reasonably and appropriately protect the confidentiality, integrity, and availability of the ephi that Subcontractor creates, receives, maintains, or transmits on behalf of the Business Associate. 2.3 promptly and without unreasonable delay, and not greater than 15 days after the discovery of Improper Use or Disclosure, report to Business Associate (i) any use or disclosure of PHI not provided for by this Addendum of which it becomes aware; and/or (ii) any security incident of which Subcontractor becomes aware, except that, for purposes of this reporting requirement the term Security Incident does not include inconsequential incidents that occur on a frequent basis such as scans or pings that are not allowed past Subcontractor s firewall. 2.4 require all of its subcontractors and agents that create, receive, maintain, or transmit PHI to agree, in writing, to the same restrictions and conditions on the use and/or disclosure of PHI that apply to Subcontractor; including but not limited to the extent that Subcontractor provides ephi to a subcontractor or agent, it shall require the subcontractor or agent to implement reasonable and appropriate safeguards to protect the ephi consistent with the requirements of this Addendum. 2.5 make available its internal practices, books, and records relating to the use and disclosure of PHI to the Secretary for purposes of determining Business Associate s compliance with the Privacy Rule. 2.6 document, and within fifteen (15) days after receiving a written request from Business Associate, make available to Business Associate, information necessary for Business Associate to make an accounting of disclosures of PHI about an Individual, in accordance with 45 C.F.R. 164.528 as of its Compliance Date. 2.7 notwithstanding Section 2.6, in the event that Subcontractor in connection with the Services uses or maintains an Electronic Health Record of PHI of or about an Individual, then Subcontractor shall when and as directed by Business Associate, make an accounting of disclosures of PHI directly to an Individual within fifteen (15) days, in accordance with the requirements for accounting for disclosures made through an Electronic Health Record in 42 U.S.C. 17935(c), as of its Compliance Date. 2
2.8 provide access within fifteen (15) days after receiving a written request from Business Associate to PHI in a Designated Record Set about an Individual, to Business Associate, sufficient to allow Business Associate to comply with the requirements of 45 C.F.R. 164.524. 2.9 notwithstanding Section 2.7, in the event that Subcontractor in connection with the Services uses or maintains an Electronic Health Record of PHI of or about an Individual, then Subcontractor shall provide an electronic copy of the PHI within fifteen (15) days, to Business Associate, sufficient to allow Business Associate to comply with 42 U.S.C. 17935(e) as of its Compliance Date. 2.10 to the extent that the PHI in Subcontractor s possession constitutes a Designated Record Set, make available, within fifteen (15) days after a written request by Business Associate, PHI for amendment and incorporate any amendments to the PHI as directed by Business Associate. 2.11 request, use and/or disclose only the minimum necessary amount of PHI necessary to accomplish the purpose of the request, use or disclosure. 2.13 not directly or indirectly receive remuneration in exchange for any PHI as prohibited by 42 U.S.C. 17935(d) as of its Compliance Date. 2.14 not make or cause to be made any communication about a product or service that is prohibited by 42 U.S.C. 17936(a) as of its Compliance Date. 2.15 not make or cause to be made any written fundraising communication that is prohibited by 42 U.S.C. 17936(b) as of its Compliance Date. 3. RESPONSIBILITIES OF BUSINESS ASSOCIATE In addition to any other obligations set forth in the Agreement, including in this Addendum, Business Associate: 3.1 shall identify which of the records it furnishes to Subcontractor it considers to be PHI for purposes of this Addendum. 3.2 shall provide to Subcontractor only the minimum PHI necessary to accomplish the Services. 3.3 in the event that the Business Associate honors a request to restrict the use or disclosure of PHI pursuant to 45 C.F.R. 164.522(a) or makes revisions to its notice of privacy practices of Business Associate in accordance with 45 C.F.R. 164.520 that increase the limitations on uses or disclosures of PHI or agrees to a request by an Individual for confidential communications under 45 C.F.R. 164.522(b), Business Associate agrees not to provide Subcontractor any PHI that is subject to any of those restrictions or limitations to the extent any may limit Subcontractor s ability to use and/or disclose PHI as permitted or required under this Addendum unless Business Associate notifies Subcontractor of the restriction or limitation and Subcontractor agrees to honor the restriction or limitation. 3.4 shall be responsible for using administrative, physical and technical safeguards at all times to maintain and ensure the confidentiality, privacy and security of PHI transmitted to Subcontractor pursuant to the Agreement, including this Addendum, in accordance with the standards and requirements of HIPAA, until such PHI is received by Subcontractor. 3
3.5 shall obtain any consent or authorization that may be required by applicable federal or state laws and regulations prior to furnishing Subcontractor the PHI. 4. PERMITTED USES AND DISCLOSURES OF PHI Unless otherwise limited in this Addendum, in addition to any other uses and/or disclosures permitted or required by this Addendum, Subcontractor may: 4.1 make any and all uses and disclosures of PHI necessary to provide the Services to Business Associate. 4.2 use and disclose to subcontractors and agents the PHI in its possession for its proper management and administration or to carry out the legal responsibilities of Subcontractor, provided that any third party to which Subcontractors discloses PHI for those purposes provides written assurances in advance that: (i) the information will be held confidentially and used or further disclosed only as Required by Law; (ii) the information will be used only for the purpose for which it was disclosed to the third party; and (iii) the third party promptly will notify Subcontractor of any instances of which it becomes aware in which the confidentiality of the information has been breached; 4.3 De-identify any and all PHI received or created by Subcontractor under this Addendum, which De-identified information shall not be subject to this Addendum and may be used and disclosed on Subcontractor s own behalf, all in accordance with the De-identification requirements of the Privacy Rule; 4.4 provide Data Aggregation services relating to the Health Care Operations of the Covered Entity in accordance with the Privacy Rule. 4.5 use the PHI to create a Limited Data Set ( LDS ) in compliance with 45 C.F.R. 164.514(e). 5. TERMINATION AND COOPERATION 5.1 Termination. If either Party knows of a pattern of activity or practice of the other Party that constitutes a material breach or violation of this Addendum then the non-breaching Party shall provide written notice of the breach or violation to the other Party that specifies the nature of the breach or violation. The breaching Party must cure the breach or end the violation on or before thirty (30) days after receipt of the written notice. In the absence of a cure reasonably satisfactory to the non-breaching Party within the specified timeframe, or in the event the breach is reasonably incapable of cure, then the non-breaching Party may do the following: (i) if feasible, terminate the Agreement, including this Addendum; or (ii) if termination of the Agreement is infeasible, report the issue to HHS. 5.2 Effect of Termination or Expiration. Upon termination of the Subcontractors services for any reason or the expiration or termination for any reason of the Agreement and/or this Addendum, Subcontractor shall return or destroy all PHI, if feasible to do so, including all PHI in possession of Subcontractor s agents or subcontractors. In the event that Subcontractor determines that return or destruction of the PHI is not feasible, Subcontractor shall notify Business Associate in writing and may retain the PHI subject to this Section 5.2. Under any circumstances, Subcontractor shall extend 4
any and all protections, limitations and restrictions contained in this Addendum to Subcontractor s use and/or disclosure of any PHI retained after the expiration or termination of the Agreement and/or this Addendum, and shall limit any further uses and/or disclosures solely to the purposes that make return or destruction of the PHI infeasible. 5.3 Cooperation. Each Party shall cooperate in good faith in all respects with the other Party in connection with any request by a federal or state governmental authority for additional information and documents or any governmental investigation, complaint, action or other inquiry. 6. MISCELLANEOUS 6.1 Contradictory Terms; Construction of Terms. Any other provision of the Agreement that is directly contradictory to one or more terms of this Addendum ( Contradictory Term ) shall be superseded by the terms of this Addendum to the extent and only to the extent of the contradiction, only for the purpose of Business Associate s and Subcontractor s compliance with HIPAA and ARRA, and only to the extent reasonably impossible to comply with both the Contradictory Term and the terms of this Addendum. The terms of this Addendum to the extent they are unclear shall be construed to allow for compliance by Business Associate and Subcontractor with HIPAA and ARRA. 6.2 Survival. Sections 5.2, 5.3, 6.1, and 6.2 shall survive the expiration or termination for any reason of the Agreement and/or of this Addendum. 6.3 Independent Contractor. Subcontractor and Business Associate are and shall remain independent contractors throughout the term. Nothing in this Addendum or otherwise in the Agreement shall be construed to constitute Subcontractor and Business Associate as partners, joint venturers, agents or anything other than independent contractors. IN WITNESS WHEREOF, the parties hereto have duly executed this Agreement on the dates set forth below, to be effective as of the Agreement Effective Date. Vendor Name HR Simplified, Inc. Signature of Authorized Representative Name: Title: Date: Signature of Authorized Representative Name: Title: Date: 5